Exploit kits are adopting a tactic more commonly found in botnet malware to make their attack campaigns more resilientpseudo-random domain generation.
Among the kits being associated with this activity is Blackhole, which has emerged as one of the most prevalent exploit kits in the wild. In a recent report, anti-malware technology company M86 Security said the Blackhole kit was responsible for 95 percent of all the malicious URLs it detected in the second half of 2011. In February, the kit was used to infect whistle-blower site Cryptome.
According to Symantec, Blackhole has now been observed utilizing pseudo-random domain generation to make attacks more persistent. The technique is commonly used by botnets to thwart efforts to disrupt their command and control (C&C) operations by generating new domain names for the malware to contact in case the C&C server is taken offline.
According to Symantec, Blackhole has now taken a page from botnet operators.
“When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system,” explained Symantec researcher Nick Johnston. “It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.”
“Although this approach has generally been very successful for malware authors, it has had one weakness,” he added. “If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.”
To address this issue, the Blackhole JavaScript on compromised sites is now dynamically generating domains based on the date and other information and creating an iframe to point to the new domain.
“Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed,” Johnston blogged.
But Blackhole is not the only kit to be utilizing these techniques. A researcher at Stopmalvertising.com found the pseudo-random domain generator in an .ASP file and AC_RunActiveContent.js on an infected Website. At first, however, the malicious code redirected the researcher to the RedKit exploit kit. Later, it redirected to Blackhole. The domain generator comes up with a new one every 12 hours, Stopmalvertising.com found.
“So far we have seen a small but steady stream of compromised domains using this technique,” blogged Johnston. “This suggests that this is perhaps some kind of trial or test that could be expanded in the future.”